gravitational · webvictim · May 17, 2021 · Apr 6, 2021 · Apr 7, 2021 · Apr 7, 2021
diff --git a/Makefile b/Makefile
@@ -363,8 +363,9 @@ lint-sh:
 
 # Lints all the Helm charts found in directories under examples/chart and exits on failure
 # If there is a .lint directory inside, the chart gets linted once for each .yaml file in that directory
-# We use yamllint's 'relaxed' configuration as it's more compatible with Helm output and will only error on
+# We inherit yamllint's 'relaxed' configuration as it's more compatible with Helm output and will only error on
 # show-stopping issues. Kubernetes' YAML parser is not particularly fussy.
+# If errors are found, the file is printed with line numbers to aid in debugging.
 .PHONY: lint-helm
 lint-helm:
 	@if ! type yamllint 2>&1 >/dev/null; then \
@@ -373,16 +374,21 @@ lint-helm:
 		exit 0; \
 	fi; \
 	for CHART in $$(find examples/chart -mindepth 1 -maxdepth 1 -type d); do \
-		if [ -d $$CHART/.lint ]; then \
-			for VALUES in $$CHART/.lint/*.yaml; do \
-				echo "$$CHART: $$VALUES"; \
-				helm lint --strict $$CHART -f $$VALUES || exit 1; \
-				helm template test $$CHART -f $$VALUES | yamllint -d relaxed - || exit 1; \
+		if [ -d $${CHART}/.lint ]; then \
+			for VALUES in $${CHART}/.lint/*.yaml; do \
+				export HELM_TEMP=$$(mktemp); \
+				echo -n "Using values from '$${VALUES}': "; \
+				yamllint -c examples/chart/.lint-config.yaml $${VALUES} || { cat -En $${VALUES}; exit 1; }; \
+				helm lint --strict $${CHART} -f $${VALUES} || exit 1; \
+				helm template test $${CHART} -f $${VALUES} 1>$${HELM_TEMP} || exit 1; \
+				yamllint -c examples/chart/.lint-config.yaml $${HELM_TEMP} || { cat -En $${HELM_TEMP}; exit 1; }; \
 			done \
 		else \
-			helm lint --strict $$CHART || exit 1; \
-			helm template test $$CHART 1>/dev/null || exit 1; \
-		fi \
+			export HELM_TEMP=$$(mktemp); \
+			helm lint --strict $${CHART} || exit 1; \
+			helm template test $${CHART} 1>$${HELM_TEMP} || exit 1; \
+			yamllint -c examples/chart/.lint-config.yaml $${HELM_TEMP} || { cat -En $${HELM_TEMP}; exit 1; }; \
+		fi; \
 	done
 
 # This rule triggers re-generation of version.go and gitref.go if Makefile changes

diff --git a/examples/chart/.lint-config.yaml b/examples/chart/.lint-config.yaml
@@ -0,0 +1,4 @@
+extends: relaxed
+rules:
+  line-length:
+    max: 120
diff --git a/examples/chart/teleport-auto-trustedcluster/Chart.yaml b/examples/chart/teleport-auto-trustedcluster/Chart.yaml
@@ -1,8 +1,9 @@
 name: teleport-auto-trustedcluster
 apiVersion: v2
-version: 0.0.8
+version: 0.0.9
 appVersion: "6"
-description: Teleport trusted cluster installation which automatically joins itself back to the provided root cluster.
+description: "[deprecated] Teleport trusted cluster installation which automatically joins itself back to the provided root cluster."
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
   - Teleport Enterprise
+deprecated: true
diff --git a/examples/chart/teleport-auto-trustedcluster/templates/service.yaml b/examples/chart/teleport-auto-trustedcluster/templates/service.yaml
@@ -15,8 +15,8 @@ spec:
   type: {{ .Values.service.type }}
   ports:
   {{- range $key, $value := .Values.service.ports }}
-    - name: {{ $key }}
-{{ toYaml $value | indent 6 }}
+  - name: {{ $key }}
+{{ toYaml $value | indent 4 }}
   {{- end }}
 {{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.service.externalTrafficPolicy) }}
   externalTrafficPolicy: "{{ .Values.service.externalTrafficPolicy }}"

diff --git a/.../teleport-cluster/.lint/lint-no-acme.yaml → ...hart/teleport-cluster/.lint/acme-off.yaml b/.../teleport-cluster/.lint/lint-no-acme.yaml → ...hart/teleport-cluster/.lint/acme-off.yaml
@@ -1 +1,3 @@
 clusterName: test-cluster-name
+extraArgs:
+- "--insecure"
diff --git a/examples/chart/teleport-cluster/.lint/acme-on.yaml b/examples/chart/teleport-cluster/.lint/acme-on.yaml
@@ -0,0 +1,3 @@
+clusterName: test-acme-cluster
+acme: true
+acmeEmail: test@email.com
diff --git a/...art/teleport-cluster/.lint/lint-acme.yaml → ...eport-cluster/.lint/acme-uri-staging.yaml b/...art/teleport-cluster/.lint/lint-acme.yaml → ...eport-cluster/.lint/acme-uri-staging.yaml
diff --git a/examples/chart/teleport-cluster/.lint/affinity.yaml b/examples/chart/teleport-cluster/.lint/affinity.yaml
@@ -0,0 +1,29 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 2
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: gravitational.io/dedicated
+          operator: In
+          values:
+          - teleport
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+    - podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - teleport
+        topologyKey: kubernetes.io/hostname
+      weight: 1
diff --git a/examples/chart/teleport-cluster/.lint/annotations.yaml b/examples/chart/teleport-cluster/.lint/annotations.yaml
@@ -0,0 +1,17 @@
+clusterName: helm-lint
+annotations:
+  config:
+    kubernetes.io/config: "test-annotation"
+    kubernetes.io/config-different: 2
+  deployment:
+    kubernetes.io/deployment: "test-annotation"
+    kubernetes.io/deployment-different: 3
+  pod:
+    kubernetes.io/pod: "test-annotation"
+    kubernetes.io/pod-different: 4
+  service:
+    kubernetes.io/service: "test-annotation"
+    kubernetes.io/service-different: 5
+  serviceAccount:
+    kubernetes.io/serviceaccount: "test-annotation"
+    kubernetes.io/serviceaccount-different: 6
diff --git a/examples/chart/teleport-cluster/.lint/aws-ha-acme.yaml b/examples/chart/teleport-cluster/.lint/aws-ha-acme.yaml
@@ -0,0 +1,14 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: aws
diff --git a/examples/chart/teleport-cluster/.lint/aws-ha-antiaffinity.yaml b/examples/chart/teleport-cluster/.lint/aws-ha-antiaffinity.yaml
@@ -0,0 +1,12 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  requireAntiAffinity: true
+labels:
+  env: aws
diff --git a/examples/chart/teleport-cluster/.lint/aws-ha.yaml b/examples/chart/teleport-cluster/.lint/aws-ha.yaml
@@ -0,0 +1,11 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+labels:
+  env: aws
diff --git a/examples/chart/teleport-cluster/.lint/aws.yaml b/examples/chart/teleport-cluster/.lint/aws.yaml
@@ -0,0 +1,11 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: aws
diff --git a/examples/chart/teleport-cluster/.lint/gcp-ha-acme.yaml b/examples/chart/teleport-cluster/.lint/gcp-ha-acme.yaml
@@ -0,0 +1,14 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  certManager:
+    enabled: true
+    issuerName: letsencrypt-production
+labels:
+  env: gcp
diff --git a/examples/chart/teleport-cluster/.lint/gcp-ha-antiaffinity.yaml b/examples/chart/teleport-cluster/.lint/gcp-ha-antiaffinity.yaml
@@ -0,0 +1,12 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+  requireAntiAffinity: true
+labels:
+  env: gcp
diff --git a/examples/chart/teleport-cluster/.lint/gcp-ha.yaml b/examples/chart/teleport-cluster/.lint/gcp-ha.yaml
@@ -0,0 +1,11 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+labels:
+  env: gcp
diff --git a/examples/chart/teleport-cluster/.lint/gcp.yaml b/examples/chart/teleport-cluster/.lint/gcp.yaml
@@ -0,0 +1,11 @@
+clusterName: test-gcp-cluster
+chartMode: gcp
+gcp:
+  projectId: gcpproj-123456
+  backendTable: test-teleport-firestore-storage-collection
+  auditLogTable: test-teleport-firestore-auditlog-collection
+  sessionRecordingBucket: test-gcp-session-storage-bucket
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: gcp
diff --git a/examples/chart/teleport-cluster/.lint/initcontainers.yaml b/examples/chart/teleport-cluster/.lint/initcontainers.yaml
@@ -0,0 +1,5 @@
+clusterName: helm-lint
+initContainers:
+- name: "teleport-init"
+  image: "alpine"
+  args: ["echo test"]
diff --git a/examples/chart/teleport-cluster/.lint/resources.yaml b/examples/chart/teleport-cluster/.lint/resources.yaml
@@ -0,0 +1,10 @@
+clusterName: helm-lint
+# These are just sample values to test the chart.
+# They are not intended to be guidelines or suggestions for running teleport.
+resources:
+  limits:
+    cpu: 2
+    memory: 4Gi
+  requests:
+    cpu: 1
+    memory: 2Gi
diff --git a/examples/chart/teleport-cluster/.lint/standalone-customsize.yaml b/examples/chart/teleport-cluster/.lint/standalone-customsize.yaml
@@ -0,0 +1,8 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+standalone:
+  existingClaimName: teleport-storage
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: standalone
diff --git a/examples/chart/teleport-cluster/.lint/standalone-existingpvc.yaml b/examples/chart/teleport-cluster/.lint/standalone-existingpvc.yaml
@@ -0,0 +1,8 @@
+clusterName: test-standalone-cluster
+chartMode: standalone
+standalone:
+  volumeSize: 50Gi
+acme: true
+acmeEmail: test@email.com
+labels:
+  env: standalone
diff --git a/examples/chart/teleport-cluster/.lint/tolerations.yaml b/examples/chart/teleport-cluster/.lint/tolerations.yaml
@@ -0,0 +1,18 @@
+clusterName: test-aws-cluster
+chartMode: aws
+aws:
+  region: us-west-2
+  backendTable: test-dynamodb-backend-table
+  auditLogTable: test-dynamodb-auditlog-table
+  sessionRecordingBucket: test-s3-session-storage-bucket
+highAvailability:
+  replicaCount: 3
+tolerations:
+- key: "dedicated"
+  operator: "Equal"
+  value: "teleport"
+  effect: "NoExecute"
+- key: "dedicated"
+  operator: "Equal"
+  value: "teleport"
+  effect: "NoSchedule"
diff --git a/...t-cluster/.lint/lint-versionoverride.yaml → ...eport-cluster/.lint/version-override.yaml b/...t-cluster/.lint/lint-versionoverride.yaml → ...eport-cluster/.lint/version-override.yaml
diff --git a/examples/chart/teleport-cluster/.lint/volumes.yaml b/examples/chart/teleport-cluster/.lint/volumes.yaml
@@ -0,0 +1,8 @@
+clusterName: helm-lint
+extraVolumeMounts:
+- name: "my-mount"
+  path: "/path/to/mount"
+extraVolumes:
+- name: "my-mount"
+  secret:
+    secretName: "mySecret"
diff --git a/examples/chart/teleport-cluster/Chart.yaml b/examples/chart/teleport-cluster/Chart.yaml
@@ -1,6 +1,6 @@
 name: teleport-cluster
 apiVersion: v2
-version: 6.0.0
+version: "6"
 appVersion: "6"
 description: Teleport is a unified access plane for your infrastructure
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg

diff --git a/examples/chart/teleport-cluster/templates/NOTES.txt b/examples/chart/teleport-cluster/templates/NOTES.txt
@@ -0,0 +1,16 @@
+{{- if .Values.highAvailability.certManager.enabled }}
+You have enabled cert-manager support in high availability mode.
+
+There may be a short delay before Teleport pods start while an ACME certificate is issued.
+You can check the status of the certificate with `kubectl -n {{ .Release.Namespace }} describe certificate/{{ .Release.Name }}`
+
+NOTE: For certificates to be provisioned, you must also install cert-manager (https://cert-manager.io/docs/) and configure an appropriate
+      Issuer with access to your DNS provider to handle DNS01 challenges (https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers)
+
+For more information, please see the Helm guides in the Teleport docs (https://goteleport.com/docs/kubernetes-access/helm/guides/)
+{{- else if (gt (int .Values.highAvailability.replicaCount) 1) }}
+You have requested more than 1 replica but have not enabled cert-manager support (highAvailability.certManager.enabled=true) to get ACME certificates.
+Your Teleport cluster will not be properly accessible by remote nodes until TLS certificates with the correct clusterName ({{ .Values.clusterName }}) are configured.
+
+For more information, please see the Helm guides in the Teleport docs (https://goteleport.com/docs/kubernetes-access/helm/guides/)
+{{- end }}
diff --git a/examples/chart/teleport-cluster/templates/certificate.yaml b/examples/chart/teleport-cluster/templates/certificate.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.highAvailability.certManager.enabled }}
+  {{- $domain:= (required "clusterName is required in chartValues when certManager is enabled" .Values.clusterName) }}
+  {{- $domainWildcard := printf "*.%s" (required "clusterName is required in chartValues when certManager is enabled" .Values.clusterName) }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: teleport-tls
+  dnsNames:
+  - {{ quote $domain }}
+  - {{ quote $domainWildcard }}
+  issuerRef:
+    name: {{ required "highAvailability.certManager.issuerName is required in chart values" .Values.highAvailability.certManager.issuerName }}
+    kind: {{ required "highAvailability.certManager.issuerKind is required in chart values" .Values.highAvailability.certManager.issuerKind }}
+{{- end }}